Only particular failure - WAN issues



  • Hi,

    I have set up two nodes CARP. Works fine so far.
    Going on "Status -> CARP (failover)" I can see the current state. Clicking (on the current master) "Enter persistent CARP maintenance mode" if fails over to the second node and there is only a minimal interruption in network connection.

    BUT when I simulate the failure of a single NIC (ie by disabling the switch port) the secondary takes control of the failing interface and is now master for just this interface. Sounds good.

    But unfortunately no Internet/ WAN connection can be done at this stage. LAN can reach the virtual IP (now at the secondary pfsense) but it can not go further into direction of the WAN.

    I assume this has something to do with my NAT configuration. I have created a CARP interface for WAN, too. Virtual IP there is .99. To which IP-address do I have to configure my NAT?

    1.
    When configuring it for .99 (virtual) it is failsafe. But is does not cover the "single interface failure" I tested above (because it NATs to .99 on both active WAN interfaces).

    2.
    When configuring it for the correct address (.201 for master .202 for backup) connections will be lost during a failover, right?

    So what might be the solution for this scenario?

    Thanks!


  • Netgate

    Is the primary node actually seeing the interface go down? That is what is necessary to trigger a failover. It will fail over just fine with an actual interface failure. Even only one of many.

    CARP does not protect against a failure at Layer 2. That is up to you to provide Layer 2 redundancy in addition to Layer 3.

    It has zero to do with NAT.